security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Potential SSH Password Grabbing via strace (#5294)

Browse Source
This commit is contained in:
Ruben Groenewoud
2025-11-11 09:35:34 +01:00
committed by GitHub
parent 4e1c8f677c
commit 1280e0854a
1 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/credential_access_ssh_password_grabbing_via_strace.toml
+67
View File
@@ -0,0 +1,67 @@
[metadata]
creation_date = "2025/11/10"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/11/10"
[rule]
author = ["Elastic"]
description = """
Detects potential SSH password grabbing via the use of strace on sshd processes. Attackers may use strace to capture
sensitive information, such as passwords, by tracing system calls made by the sshd process. This rule looks for a sequence
of events where an sshd process ends followed closely by the start of a strace process. This may be indicative of an attacker
attempting to capture SSH credentials.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential SSH Password Grabbing via strace"
references = [
"https://github.com/braindead-sec/ssh-grabber",
"https://dfir.ch/posts/strace/",
]
risk_score = 47
rule_id = "9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
sequence by host.id with maxspan=3s
[process where host.os.type == "linux" and event.type == "end" and process.name == "sshd"]
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "strace"]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1554"
name = "Compromise Host Software Binary"
reference = "https://attack.mitre.org/techniques/T1554/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"